Q&A Document for Washington Post Going Dark Interview 

Answers vetted and approved by OTD, OGC 


1 ' How? he GOing Dark pr0b1 ™ 1 g0 “ e " W0rse f0r law c " f » r «"Kn< over (he past year? 

The impediments faced by law enforcement have been getting worse for auite snme a e 

£ » fSr ' sssrrc number of providers ^ 

been coveLtinee a 2005 FCr T since 1994 “ d V °IP and broadband have 

oeen covered since a 2005 FCC ruling. That' s a long time ago in ternis of the industry. 

Over the last year many providers have used what has been reported in the media about bulk 

a , di r * even ,hough ^ 

HirlTt l T comparable capabilities to those reported. Law enforcement is dependent on 
provider assistance to conduct court ordered electronic surveillance. 


2 ' ™ yP' rienced a ">' reduced cooperation from communication provider as a 

result of the dtsclosures attributed to Edward Snowden? provtaers as a 

Ita^ent re a fl!«s W ne 8 XT* that P«ception of assisting law 
disregarding their user's rights to privacy. In addition to providing S 0 “ cZtZTa 
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order enforcement must abide by the rigorous constructs of law when applying for a court 

XZlZf Lt eXrZlVZ CaPabilMeS ^ n °* be “« devd0 ' )ed 10 address *• real day- 
to uay needs ot law enforcement when a court grants that lawful authority. 


3 ‘ whin H° e * laW enfor ? em ® nt be,ieve com Panies should be forced to build in backdoors 
when designing services? Don't backdoors pose a security risk for companies? 

That s a common misperception of what law enforcement needs and what law enforcement is 
request'iig. Law enfo r ce mc nt is not asking for unfettered access into any provider’s network 
Let s talk about the CALEA pamdigm - the indushy develops a technical SaTd tooi^l 
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the alreldv 2, ' S’ , pubhc ca " be a * ,ured ^ 11)6 capabilities are commensurate with 
, . y Sting authorities granted to law enforcement by statute Second the industrv 
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4. The FBI has launched the NDCAC. Is it working as ovn,w,>,i 9 r.„n 

the NDCAC? * an & as expected . Can I learn more about 

I- The NDCAC was designed as a hub for technical knowledge management that facilitates 

enforcement agencies to benefit a larger portion of S ZmTwty .' CapaWl “ eS ° f certain law 
More information is available on the website: http://www.ndo.ac ej ic gpy 



It has been reported the government receives a daily dump 
companies... why is this not good enough? 


screen shots from 


In some cases subject to legal process, it may be enough that law enforcement receives a daily 



Bul in many “stances, <he information is 

companies o^rin^simi] ^ 1,16 Capabili,y ' Further ’ there is significant disparity in what % 
consistency across the blZd'™™ ““ PI ° Vlde ‘° enforcement ' is simply not a lot of 

^ e " f0rcement recei ™8 “screen shots” in that they are typically no 
usable for effect “aiyrif wBnmmt ” eeds ““ tofo ™ ati »" “ * forma, that is readily 

pr™idem3fc^!b m I * “"f* W0U ‘ d ” ecessi,ate a vitally i">P<>«ant discussion about wha, 
providers must furnish to law enforcement in response to a court order Imnortantlv that 

discussion would result m uniformity in the information law enforcement can expect from 
providers and what companies can expect to provide. P 


# ' con,panies refusing * c »“ rt — ■* 

There are a number of ways companies can thwart law enforcement’s attempts - refusing to 
implement a court order or delaying that implementation can irreparably setback an § 

nmfpa 8 ^ 0 f LaW enforcement und erstands that there may be instances where it is technically 

p“:l r e a b “ abse "* SOme “ to how a c“‘ y 

Lm«s wtem a cum u w enforcement <0 understand the root cause of some 
instances where a company refuses to comply with a court order. 

:tfr y C0Urt ' based recourse available to law enforcement is to pursue an order to show 
se. In essence, a court would require a company to explain why it cannot meet the 


7. Has the problem of encryption gotten worse since Snowden, with more companies 
adver.ts.ng enen ption services? How is the FBI dealing with enhanced ene^prion? 

Yes. In the rush to address bulk collection, law enforcement’s needs are being overlooked 

, . greSS ‘ L aw enforcement has no issue with these companies’ commitment to “keeping users ’ 

on our networks ^ndb^mshiTh e T yption technolo Sy to prevent unauthorized surveillance 
reasonable in government requests to ensure that they are legal and 

What is missing is a vigorous commitment to assist law enforcement when electronic 



nCed t0 m ° Ve f ° rWard and devel °P a Rework under which both 
■ , f , P a t e m ^nkmg an appropriate balance among the public’s privacy interests the 
industry s goals of competition and innovation, and the needs of law Scem^ ’ 
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Provided separately 



Follow-up Q&S for Washington Post Going Dark Interview 

Answers vetted and approved by OTD, OGC 


1. Here’s the dilemma as the government sees it. Wiretap law requires a company or 
individual to provide “technical assistance” to an official with a valid electronic 
surveillance order. But most Internet-related companies are not required by law to 
make sure that their systems are wiretap-ready. And the phrase “technical assistance” 
is vague, permitting differences of interpretation. Correct? 

Yes. The dilemma can best be characterized as follows. The impediments faced by law 
enforcement have been getting worse for quite some time. As technology continues to advance, 
new services are introduced, and the number of providers increase, law enforcement faces an 
increasing number of diverse challenges. Many of the newest communications services are 
developed and deployed without consideration of law enforcement’s “lawful intercept” needs 
(i.e., legally authorized electronic surveillance). CALEA applies to traditional 
telecommunications carriers, providers of interconnected V oice over Internet Protocol (V oIP) 
services, and providers of broadband access services. “Traditional” providers have been covered 
under CALEA since 1994, and VoIP and broadband have been covered since a 2005 FCC ruling. 
That is a long time ago in terms of this industry and CALEA does not impact a significant 
number of communications service providers in today’s marketplace. 

It is also important to note that the “technical assistance” clause in federal wiretap law is often 
insufficient. The assistance furnished by some providers simply does not provide law 
enforcement with the information it requested and which it needs to fully understand or acquire 
the relevant communications. It is more than a difference of interpretation in that, without more 
specific guidance as to what constitutes “technical assistance,” a provider may do all that it can 
and still not be able to provide law enforcement the information it needs to do its job. 

As a practical matter, a CALEA compliant provider who has a built an intercept capability into 
its architecture will most likely be able to assist law enforcement immediately, whereas a 
provider that has no solution and attempts to render “technical assistance” likely will not. In 
most instances, providers attempting to render assistance must divert resources to react to an 
immediate situation, such as a hostage-taking or kidnapping scenario, where time is of the 
essence. Despite their best efforts, critical information will be lost due to the delay. 


2. Wanted to confirm that Amy was saying: Anything short of real time interception is not 
fully complying “because we didn't get all the information we needed or because it 
wasn’t provided consistently.” 

In many instances, information provided in response to intercept orders is incomplete or not 
provided in a timely manner to support every type of investigative requirement, especially when 
dealing with crimes in motion (e.g., kidnapping, extortion, drug trafficking). Also, not every 
company has an intercept capability and there is significant disparity in what companies offering 
similar services can provide to law enforcement. There is simply a lack of consistency across the 



industry. The lack of capability and lack of consistency negatively impact law enforcement’s 
ability to fully understand the extent of a criminal’s activities, identification of co-conspirators, 
and location of victims. 


3. On DRIP: It looks like the British parliament is going to pass the law. It will not only 
ensure that U.K. companies store customer data for the government but it gives the 
government the right to require non-U.K. companies outside the country to build 
wiretap capabilities. My understanding is that the FBI several years ago floated draft 
legislation that included an analogous provision — to require non US companies outside 
the US to build wiretap capabilities if directed, but the proposal died. Please let me 
know if that is not correct. 

It is premature to comment on how the UK legislation will impact United States law 
enforcement's ability to effect court orders, however, it does reflect the fact that the UK is facing 
a similarly daunting challenge in conducting electronic surveillance. 

4. Also, I am told that there has never been a fine issued under either CALEA or the 2518 
provision of the Wiretap Act. 

It is true that fines have not been issued under the CALEA enforcement provisions set forth in 
Title 18 U.S.C. Section 2522 which, in turn, incorporate the provisions of Section 108 of 
CALEA. As written, the enforcement provisions are cumbersome and the pursuit of 
enforcement can be a lengthy, complicated, and resource-intensive process. In many cases, the 
investigation which identified the capability gap would be closed long before any action would 
be taken. However, it is not correct to imply that the enforcement provision of the law cannot 
have any effect. The enforcement provision allows law enforcement to raise non-compliance 
issues to the attention of a company’s senior management and/or general counsel and work 
toward a common understanding of the company’s obligations. Law enforcement and 
prosecutors are more interested in ensuring companies have the appropriate capabilities at their 
disposal when served with a court order than pursuing fines or penalties through prolonged 
litigation of the underlying issues, but this option remains viable, if needed. 

5. Still would like to know your response to experts who say that building in a wiretap 
solution builds in insecurity into the system. 

Developing intercept solutions during the service’s design phase allows providers to minimize 
risk from the outset. Such solutions are likely to be better, smarter, cheaper, and more secure 
than solutions that are retrofitted to existing products. There was similar apprehension during 
the initial stages of discussions about CALEA, i.e. that there would be an increased security risk 
in having technical solutions resident in carriers’ networks. That prediction has not come to pass. 
In fact, as intended when CALEA was passed, individuals’ privacy interests are better protected 
when a company has an intercept solution in place that allows them to isolate and provide to law 
enforcement only those communications of the individuals who are subject to the court order. 



An open, transparent process for identifying technical lawful intercept capabilities benefits 
everyone. Privacy advocates and the public can be assured the capabilities are commensurate 
with authorities that already exist and are granted to law enforcement by statute. In other words, 
law enforcement is not asking for additional authorities, but rather just the ability to use the 
authorities we already have. Under this construct, industry will clearly understand its 
responsibilities and all providers will be held to the same standard (i.e., the level playing field). 
Moreover, law enforcement can be assured it will receive what it is authorized to collect, 
regardless of service provider. 

6. Still interested in the rough number of companies/apps that the FBI knows will not 
provide RT data. 

There are hundreds of communication service providers which meet this definition. The FBI has 
experienced numerous situations when a communication service provider cannot or will not 
provide real time data. In some instances, the FBI leverages its Engineering Research Facility to 
help develop a solution, working cooperatively with the company. In other situations, depending 
on the nature of the service, it may be feasible to gain alternative access to another service 
provider and isolate the communications of the suspect. There have been instances where those 
avenues are determined to not be feasible and the FBI does not pursue obtaining a court order. 
The number of such communication service providers that offer new services which do not have 
an electronic surveillance capability continues to grow as technology continues to evolve. 



